public override void ExecuteInternal()
{
foreach (var hive in Hives)
{
Log.Debug("Starting " + hive.ToString());
if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex? Capturer))
{
Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer?.ToString());
return;
}
Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) =>
{
try
{
var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView);
if (regObj != null)
{
DatabaseManager.Write(regObj, RunId);
}
}
catch (InvalidOperationException e)
{
Log.Debug(e, JsonSerializer.Serialize(registryKey) + " invalid op exept");
}
};
Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());
var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32);
var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64);
if (Parallelize)
{
Parallel.ForEach(x86_Enumerable,
(registryKey =>
{
IterateOn(registryKey, RegistryView.Registry32);
}));
Parallel.ForEach(x86_Enumerable,
(registryKey =>
{
IterateOn(registryKey, RegistryView.Registry64);
}));
}
else
{
foreach (var registryKey in x86_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry32);
}
foreach (var registryKey in x64_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry64);
}
}
Log.Debug("Finished " + hive.ToString());
}
}
public override void ExecuteInternal()
{
foreach (var hive in Hives)
{
Log.Debug("Starting " + hive.ToString());
if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer))
{
Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString());
return;
}
Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());
var registryInfoEnumerable = RegistryWalker.WalkHive(hive);
Parallel.ForEach(registryInfoEnumerable,
(registryKey =>
{
try
{
var regObj = RegistryKeyToRegistryObject(registryKey);
if (regObj != null)
{
DatabaseManager.Write(regObj, RunId);
}
}
catch (InvalidOperationException e)
{
Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept");
}
}));
Log.Debug("Finished " + hive.ToString());
}
}
public override void Execute()
{
Start();
Log.Information(JsonConvert.SerializeObject(DefaultHives));
if (!this.CanRunOnPlatform())
{
return;
}
Truncate(this.runId);
Parallel.ForEach(Hives,
(hive =>
{
Log.Debug("Starting " + hive.ToString());
if (Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "Registry", "Hive", "Include", hive.ToString()))
{
}
else if (Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer))
{
Log.Information("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString());
return;
}
var registryInfoEnumerable = RegistryWalker.WalkHive(hive);
try
{
Parallel.ForEach(registryInfoEnumerable,
(registryObject =>
{
try
{
Write(registryObject);
}
// Some registry keys don't get along
catch (InvalidOperationException e)
{
Log.Debug(registryObject.Key + " " + e.GetType());
}
}));
}
catch (Exception e)
{
Log.Debug(e.GetType().ToString());
Log.Debug(e.Message);
Log.Debug(e.StackTrace);
Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e);
}
}));
DatabaseManager.Commit();
Stop();
}
public override void ExecuteInternal()
{
foreach (var hive in Hives)
{
Log.Debug("Starting " + hive.ToString());
Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) =>
{
Log.Verbose($"Beginning to parse {registryKey.Name} in view {registryView}");
try
{
var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView);
if (regObj != null)
{
Results.Add(regObj);
}
}
catch (InvalidOperationException e)
{
Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept");
}
Log.Verbose($"Finished parsing {registryKey.Name} in view {registryView}");
};
var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32);
var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64);
if (Parallelize)
{
x86_Enumerable.AsParallel().ForAll(
registryKey =>
{
IterateOn(registryKey, RegistryView.Registry32);
});
x64_Enumerable.AsParallel().ForAll(
registryKey =>
{
IterateOn(registryKey, RegistryView.Registry64);
});
}
else
{
foreach (var registryKey in x86_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry32);
}
foreach (var registryKey in x64_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry64);
}
}
Log.Debug("Finished " + hive.ToString());
}
}
public override void ExecuteInternal()
{
foreach (var hive in Hives)
{
Log.Debug("Starting " + hive.ToString());
Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) =>
{
try
{
var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView);
if (regObj != null)
{
DatabaseManager.Write(regObj, RunId);
}
}
catch (InvalidOperationException e)
{
Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept");
}
};
var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32);
var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64);
if (Parallelize)
{
Parallel.ForEach(x86_Enumerable,
(registryKey =>
{
IterateOn(registryKey, RegistryView.Registry32);
}));
Parallel.ForEach(x86_Enumerable,
(registryKey =>
{
IterateOn(registryKey, RegistryView.Registry64);
}));
}
else
{
foreach (var registryKey in x86_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry32);
}
foreach (var registryKey in x64_Enumerable)
{
IterateOn(registryKey, RegistryView.Registry64);
}
}
Log.Debug("Finished " + hive.ToString());
}
}
public override void Execute()
{
if (!this.CanRunOnPlatform())
{
return;
}
Start();
_ = DatabaseManager.Transaction;
Parallel.ForEach(Hives,
(hive =>
{
Log.Debug("Starting " + hive.ToString());
if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()))
{
}
else if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer))
{
Log.Information("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString());
return;
}
Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString());
var registryInfoEnumerable = RegistryWalker.WalkHive(hive, runId);
try
{
Parallel.ForEach(registryInfoEnumerable,
(registryObject =>
{
try
{
DatabaseManager.Write(registryObject, runId);
}
catch (InvalidOperationException e)
{
Logger.DebugException(e);
Log.Debug(JsonConvert.SerializeObject(registryObject) + " invalid op exept");
}
}));
}
catch (Exception e)
{
Logger.DebugException(e);
Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e);
}
}));
DatabaseManager.Commit();
Stop();
}
public void ParseComObjects(RegistryKey SearchKey, RegistryView View)
{
if (SearchKey == null)
{
return;
}
List <ComObject> comObjects = new List <ComObject>();
try
{
Parallel.ForEach(SearchKey.GetSubKeyNames(), (SubKeyName) =>
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View);
if (RegObj != null)
{
ComObject comObject = new ComObject(RegObj);
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
if (obj != null)
{
comObject.AddSubKey(obj);
}
}
//Get the information from the InProcServer32 Subkey (for 32 bit)
string?BinaryPath32 = null;
var InProcServer32SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32"));
if (InProcServer32SubKeys.Any() && InProcServer32SubKeys.First().Values?.TryGetValue("", out BinaryPath32) is bool successful)
{
if (BinaryPath32 != null && successful)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath32.Trim(), true);
comObject.x86_BinaryName = BinaryPath32;
}
}
// And the InProcServer64 for 64 bit
string?BinaryPath64 = null;
var InProcServer64SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64"));
if (InProcServer64SubKeys.Any() && InProcServer64SubKeys.First().Values?.TryGetValue("", out BinaryPath64) is bool successful64)
{
if (BinaryPath64 != null && successful64)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2);
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath64.Trim(), true);
comObject.x64_BinaryName = BinaryPath64;
}
}
comObjects.Add(comObject);
}
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Couldn't parse {SubKeyName}");
}
});
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Failing parsing com objects {SearchKey.Name} {e.GetType().ToString()} {e.Message}");
}
foreach (var comObject in comObjects)
{
DatabaseManager.Write(comObject, RunId);
}
}
/// <summary>
/// Parse all the Subkeys of the given SearchKey into ComObjects and returns a list of them
/// </summary>
/// <param name="SearchKey">The Registry Key to search</param>
/// <param name="View">The View of the registry to use</param>
public static IEnumerable <CollectObject> ParseComObjects(RegistryKey SearchKey, RegistryView View, bool SingleThreaded = false)
{
if (SearchKey == null)
{
return(new List <CollectObject>());
}
List <ComObject> comObjects = new List <ComObject>();
var fsc = new FileSystemCollector(new CollectCommandOptions()
{
SingleThread = SingleThreaded
});
Action <string> ParseComObjectsIn = SubKeyName =>
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View);
if (RegObj != null)
{
ComObject comObject = new ComObject(RegObj);
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
if (ComDetails.Contains("InprocServer32"))
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
string?BinaryPath32 = null;
if (obj != null && obj.Values?.TryGetValue("", out BinaryPath32) is bool successful)
{
if (successful && BinaryPath32 != null)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = fsc.FilePathToFileSystemObject(BinaryPath32.Trim());
}
}
}
if (ComDetails.Contains("InprocServer64"))
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View);
string?BinaryPath64 = null;
if (obj != null && obj.Values?.TryGetValue("", out BinaryPath64) is bool successful)
{
if (successful && BinaryPath64 != null)
{
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.AsSpan().Slice(1, BinaryPath64.Length - 2).ToString();
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = fsc.FilePathToFileSystemObject(BinaryPath64.Trim());
}
}
}
}
comObjects.Add(comObject);
}
}
catch (Exception e) when(
e is System.Security.SecurityException ||
e is ObjectDisposedException ||
e is UnauthorizedAccessException ||
e is IOException)
{
Log.Debug($"Couldn't parse {SubKeyName}");
}
};
try
{
if (SingleThreaded)
{
foreach (var subKey in SearchKey.GetSubKeyNames())
{
ParseComObjectsIn(subKey);
}
}
else
{
SearchKey.GetSubKeyNames().AsParallel().ForAll(subKey => ParseComObjectsIn(subKey));
}
}
catch (Exception e)
{
Log.Debug("Failing parsing com objects {0} {1}", SearchKey.Name, e.GetType());
}
return(comObjects);
}
public void ParseComObjects(RegistryKey SearchKey)
{
if (SearchKey == null)
{
return;
}
foreach (string SubKeyName in SearchKey.GetSubKeyNames())
{
try
{
RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName);
var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey);
ComObject comObject = new ComObject()
{
Key = RegObj,
Subkeys = new List <RegistryObject>()
};
foreach (string ComDetails in CurrentKey.GetSubKeyNames())
{
var ComKey = CurrentKey.OpenSubKey(ComDetails);
comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey));
}
//Get the information from the InProcServer32 Subkey (for 32 bit)
if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey(""))
{
comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32);
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath32 = BinaryPath32.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\""))
{
BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2);
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%"))
{
BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim());
}
comObject.x86_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath32.Trim()), true);
comObject.x86_BinaryName = BinaryPath32;
}
// And the InProcServer64 for 64 bit
if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey(""))
{
comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64);
// Clean up cases where some extra spaces are thrown into the start (breaks our permission checker)
BinaryPath64 = BinaryPath64.Trim();
// Clean up cases where the binary is quoted (also breaks permission checker)
if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\""))
{
BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2);
}
// Unqualified binary name probably comes from Windows\System32
if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%"))
{
BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim());
}
comObject.x64_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath64.Trim()), true);
comObject.x64_BinaryName = BinaryPath64;
}
DatabaseManager.Write(comObject, runId);
}
catch (Exception e)
{
Log.Debug(e, "Couldn't parse {0}", SubKeyName);
}
}
}
